editing/TypingCommand.cpp:
(WebCore::TypingCommand::makeEditableRootEmpty): Added. Removes all children
of the root editable element the selection is in, other than a
placeholder. Returns true iff it did anything.
(WebCore::TypingCommand::deleteKeyPressed): When there is only a single
visible position in the root editable element, but it has children other
than a placeholder, remove those children.

editing/TypingCommand.h:

editing/VisiblePosition.h:
Added a StayInEditableContent enum and a FIXME.

editing/VisibleSelection.cpp:
(WebCore::VisibleSelection::isAll): Added. Returns whether the
selection encompasses all visible positions, either in the document or
in the editable root.

editing/VisibleSelection.h:

WebKit/mac:

Reviewed by Simon Fraser.

WebKit part of <rdar://problem/6609509> Select All and then Delete
should put Mail editing back into the same state as a new message

For now just drop the deferred layout on the floor, since it causes an infinite hang in mail. Even
trying to schedule a relayout for later leaves you in a state where you hit the needsLayout painting
assertions.

Basically what Mail is doing is crazy, and we can't support it other than to just drop the last layout
and not do it (which is basically what was happening before).

Skip fast/forms/textarea-metrics.html. It's printing the TEST PASSED
before the test is finished. There's a race with any JS tests that
use setTimeout. Fortunately, this test doesn't need the setTimeout,
so it's easy to fix.

Fix for <rdar://problem/6828164>, Mail hits the !root->needsLayout() assert because it re-marks the FrameView for layout
when the FrameView is resized. This bug was exposed by the elimination of the separate WebKit layout
flag on Mac.

FrameView now defers setNeedsLayouts during size changes. Once all of the size changes are finished (including re-entrant ones
from WebDynamicScrollbarsView and ScrollView::updateScrollbars) we then do a layout if necessary.

Those values for textarea and inputs were derived by doing a ton of manual
testing of IE's width values for various textareas and fonts. On Windows we match
IE exactly except for a couple fonts of the ~12 tested.

To get the average and max character width of a font, we do the following
for each platform:
-Win: TextMetrics expose avgCharWidth and maxCharWidth
-SVG: avgCharWidth = width of an '0', fallback on width of a space glyph, then m_xHeight

maxCharWidth = width of a 'W' for roman fonts, fallback on m_ascent

-Linux: avgCharWidth = width of an '0', fallback on m_xHeight

maxCharWidth = max of avgCharWidth and m_ascent

-Mac: Calculate the avgCharWidth and grab the maxCharWidth off the font.

If either one is non-positive, then calculate the value using the Linux approach.

Fix for <rdar://problem/6835573>, Find Banner turns invisible when WebView is resized. Make sure
not to resize the interior views of a WebView in response to its bounds changing when not using
viewless WebKit. Auto-resizing rules were already in place to handle size adjustments for us.
Just mark as needing layout and do nothing else.

This does mean viewless WebKit is broken with the Find Banner, and that will likely require a
Safari change (using a new API that will enable clients to define the edges of the content area as offsets
from the sides of the WebView).

This was caused by faulty DOMWindow::document(), which could return a new document from
the window's frame after navigation.

bindings/js/JSDOMWindowCustom.h: (WebCore::JSDOMWindowBase::allowsAccessFromPrivate):
Removed an obsolete check that allowed access when document was null. Contrary to what a
comment said, that can happen for a window that is no longer in frame, not to one whose
document is not constructed yet.

bindings/js/JSXMLHttpRequestConstructor.cpp: (WebCore::constructXMLHttpRequest): Bail
out if context was not found. This currently happens due to a shortcoming in
DOMWindow::document() - when it is fixed, the XMLHttpRequest object in included regression
test will be constructed successfully, but won't be sent, because its context will be
frameless.

page/DOMWindow.cpp: (WebCore::DOMWindow::document): Check that the window in frame hasn't
been replaced yet. Added FIXME comments about how this may be better fixed in the future.

bindings/js/JSOptionConstructor.cpp:
(WebCore::JSOptionConstructor::document):
(WebCore::constructHTMLOptionElement):
Make matching changes to other constructors that hold a reference to global object.

bindings/objc/DOMPrivate.h: Add the new methods and a comment
about lineBoxRects being deprecated.

dom/Range.cpp:
(WebCore::Range::boundingBox): Call textRects (renamed from addLineBoxRects).
(WebCore::Range::textRects): Renamed from addLineBoxRects. Iterate over the
nodes instead of the RenderObjects to correctly account for offsets. Also
only call absoluteRectsForRange on RenderText.

rendering/RenderObject.cpp:
(WebCore::RenderObject::absoluteRectsForRange): Remove if conditions that made this
function very specific for the lineBoxRects API. These functions are still used
by the InspectorController, and this change improves what the Inspector shows.
(WebCore::RenderObject::absoluteQuadsForRange): Ditto.

<rdar://problem/6794691> Media documents and <video controls> never show controls on Windows

RenderThemeWin doesn't implement the media element controller rendering methods, so media
controls stopped rendering when we switched from RenderThemeSafari. Rather than having copies
of the code in both places, the logic is in a new class that is called from both.

Fix for <rdar://problem/6617298> Typing delete on an unquoted blank line unquotes the preceding, quoted blank line

Test: editing/deleting/type-delete-after-quote.html

When a selection is deleted that contains a whole number paragraphs plus a line break, we refrain from merging paragraphs after the delete,
since it is unclear to most users that such a selection actually ends at the start of the next paragraph. However, when a user hits delete
with a caret selection, they actually do expect the start of that paragraph to be merged into the paragraph before it. We can tell that
we're in this state because the TypingCommand creates the selection to delete but it doesn't change the endingSelection. So we can tell
that if we started with a caret selection, then we're not in this special case where we have to protect the user from unexpected behavior
from deleting a range they selected.

Test for <rdar://problem/6617298> Typing delete on an unquoted blank line unquotes the preceding, quoted blank line

editing/deleting/type-delete-after-quote.html: Added.

platform/mac/editing/deleting/delete-4038408-fix-expected.txt: This expected result change reflects a change in how the editing is done,
but the document structure remains the same, and there are no visible changes to the result.

Added a new nodeAtFloatPoint method which takes a FloatPoint
instead of the *super confusing* x/y tx/ty pairs that HTML uses.
Mostly this is just lots of minus-lines as the new code is *much* simpler.

I made all the SVG renderers use the new nodeAtFloatPoint and ASSERT_NOT_REACHED
for the nodeAtPoint HTML/CSS int x/y version.

Eventually the rest of CSS/HTML render objects will follow suit
and move to nodeAtFloatPoint (possibly renamed back to nodeAtPoint), but changing them
over was well outside the scope of this change.

SVG hit testing is not actually floating point precise yet, since its still
passed in an integer x/y. Certain transform hit-test edge cases are likely fixed
by moving to FloatPoint here, but I didn't try to find one.

This should not cause functional changes for common-case hit testing, thus
no tests changed, nor should new tests be needed.

platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
(WebCore::MediaPlayerPrivate::cacheMovieScale): use @try and @catch instead of
BEGIN_BLOCK_OBJC_EXCEPTIONS and END_BLOCK_OBJC_EXCEPTIONS for builds of QTKit
that throw an exception on QTMovieCurrentSizeAttribute but don't support
QTMoviePreferredTransformAttribute

Moved filterBoundingBox() from RenderSVGModelObject to SVGRenderSupport to share with other classes.
Gave RenderSVGText a modern clippedOverflowRectForRepaint and computeRectForRepaint.
RenderSVGText now applies transforms at paint() time instead of during chunk draw time
this should be much more efficient.

Fixed the order in which RenderSVGViewportContainer applied
transforms and clips. We now clip to the viewport first and apply
all transforms at once. Also since the viewport logic is now only
inside RenderSVGViewportContainer (instead of inside RenderSVGContainer)
we always know we have a viewport. We now use only viewportSize instead of
viewport() since RenderSVGViewportContainers can't have x/y offsets.

We now correctly transform the PaintInfo::rect (damage rect) when applying transforms.
This allowed us to apply the transform during text paint() instead of at chunk paint
time. Previously we had to apply the transform during chunk paint time because
RenderBlock (superclass of RenderSVGBlock) would check intersection with the damageRect
before telling any of the inlines to draw. Now that we adjust the damage rect correctly
we pass the intersection check correctly! (This probably fixed some <text> redraw bugs
but since I still have a bunch of those to fix, I've not tried to write additional tests
to cover these potential fixes yet.)

SVGRootInlineBox no longer needs to deal with transforms at chunk paint time, yay!

Work around <rdar://problem/6833240> by relying on static initialization to zero the entire struct.
This removes the need for us to explicitly initialize all of the members, which have a tendency
to change in meaning and number between versions of libxml2.

platform/graphics/win/QTMovieWin.cpp:
(QTMovieWinPrivate::QTMovieWinPrivate): Initialize m_widthScaleFactor and m_heightScaleFactor.
(QTMovieWinPrivate::cacheMovieScale): New, calculate difference between initial
size and natural size so naturalSize() accounts for non-identity movie matrix.
(QTMovieWinPrivate::task):Call cacheMovieScale when load state reaches
kMovieLoadStateLoaded for the first time. kMovieLoadState -> QTMovieLoadState.
(QTMovieWinPrivate::drawingComplete): kMovieLoadState -> QTMovieLoadState.
(QTMovieWinPrivate::createGWorld): Don't bother creating gworld until load state reaches
kMovieLoadStateLoaded because we do not try to draw it before that point.
(QTMovieWinPrivate::setSize): Do not change movie box before reaching kMovieLoadStateLoaded
because we need to get the movie's initial size in cacheMovieScale.
(QTMovieWin::getNaturalSize): Multiply width and height by initial scale.

We implement playForMillisecs() which makes sure the video
will have been playing for a minimum time.

Note, this does not ensure a strict synchronization between the time
asked and the media playback. But given that media playback is the
slow part we just need to compensate for the delay involved by playback.
(And not the other way around.)

Moreover, we split the test in 3 in order to be more gentle which
slower machines that may tend to timeout more easily on those tests.

media/video-played-collapse-expected.txt: Added.

media/video-played-collapse.html: Added.

media/video-played-expected.txt:

media/video-played-reset-expected.txt: Added.

media/video-played-reset.html: Added.

media/video-played.html:

Split tests in multiple files.

Makes sure we always play as much as requested by using
playForMillisecs();

<rdar://problem/6822344> Use of QTMovieCurrentSizeAttribute generates exception and will crash

QTMovieCurrentSizeAttribute generates an exception with some versions of QTKit, so calculate a
multiplier to scale from natural size to current size when a movie is opened and use that to
return the correct value from the naturalSize() method.

The problem here is that we had a self-painting layer nested inside
a non-self-painting layer. We ended up ignoring the self-painting
layer both during painting and hit-testing. This patch corrects
that.

If it has been set to allow any HTTPS certificates for this host, set
kCFStreamSSLAllowsExpiredCertificates to true to allow expired
certificate, and set kCFStreamSSLValidatesCertificateChain false to skip
certificate chain validation. (<rdar://problem/6382059>)

<rdar://problem/6822225> Full page zooming of <video> element in the browser window doesn't work well

Fix a 'size changed' notification thrash that caused standalone video elements
to continually resize after full page zooming, by using the movie's natual size (which is independent
of zooming), rather than its current size (which is not).

Note that this regresses <​https://bugs.webkit.org/show_bug.cgi?id=25029>, so we have to
disable the media/video-size-intrinsic-scale.html test. However, we have to stop using
QTMovieCurrentSizeAttribute anyway; this will be addressed, and the test re-enabled via
<rdar://problem/6822344>.

Plugins/WebBaseNetscapePluginView.mm: Removed checkIfAllowedToLoadURL:frame:callbackFunc, cancelCheckIfAllowedToLoadURL, and
_webPluginContainerCancelCheckIfAllowedToLoadRequest from the base class. These methods now exist in the subclass WebNetscapePluginView.

Added WebNetscapeContainerCheckContextInfo, which is used as a "contextInfo" object in
-[WebNetscapePluginView checkIfAllowedToLoadURL:frame:callbackFunc:]

Plugins/WebNetscapePluginView.h: Added two new ivars: _containerChecksInProgress and _currentContainerCheckRequestID.

Plugins/WebNetscapePluginView.mm: #import both WebPluginContainerCheck.h and WebNetscapeContainerCheckContextInfo.h

(-[WebNetscapePluginView checkIfAllowedToLoadURL:frame:callbackFunc:]): Added. This is the implementation of WKN_CheckIfAllowedToLoadURL.
Here, we increment the request ID and start the container check.

(-[WebNetscapePluginView _containerCheckResult:contextInfo:]): Added. This is a callback method for WebPluginContainerCheck.
It's where we actually call into the plug-in and provide the allow-or-deny result.

(-[WebNetscapePluginView cancelCheckIfAllowedToLoadURL:]): Added. This is the implementation of WKN_CancelCheckIfAllowedToLoadURL.
Here we lookup the check, cancel it, and remove it from _containerChecksInProgress.

(-[WebNetscapePluginView _webPluginContainerCancelCheckIfAllowedToLoadRequest:]): Added. WebPluginContainerCheck automatically calls
this method after invoking our _containerCheckResult: selector. It works this way because calling -[WebPluginContainerCheck cancel] allows
it to do it's teardown process.

The crash happened because a cached resource handle was removed from a document's cached
resources map twice recursively, so a destructor was called for a value in a deleted bucket.
The first call was from Cache::evict, and when destroying CachedResourceHandle destroyed
CachedResource, DocLoader::removeCachedResource() was called again, with HashMap being in
an inconsistent state.

I couldn't fully reconstruct the loading sequence to make a test.

loader/Cache.cpp:
(WebCore::Cache::revalidateResource): Assert that the resource being revalidated is in cache
(it makes no sense to revalidate one that isn't).
(WebCore::Cache::evict): Don't remove the resource from document's map. Removing a resource
from the cache in no way implies that documents no longer use the old version. This fixes the
crash, and also fixes many cases of resource content being unavailable in Web Inspector.

loader/CachedResource.h:
(WebCore::CachedResource::setInCache): When bringing a revalidated resource back to cache,
reset m_isBeingRevalidated to maintain the invariant of resources being revalidated never
being in cache. This fixes another assertion I saw on LexisNexis search: in rare cases,
switchClientsToRevalidatedResource() results in the same resource being requested again,
but we were only enforcing CachedResource invariants after calling this function.
(WebCore::CachedResource::unregisterHandle): Assert that the counter doesn't underflow.

loader/DocLoader.cpp: (WebCore::DocLoader::removeCachedResource): Assert that the passed
resource is removed, not some other resource that happens to have the same URL (this used to
fail on LexisNexis search before this patch).

loader/ImageDocument.cpp: (WebCore::ImageTokenizer::write): Replaced ASSERT_NOT_REACHED
with notImplemented(). This method can be legally called via document.write(), and should
work. LexisNexis takes this code path, but apparently has a fallback for Safari, so it
doesn't affect site functionality.

loader/CachedResource.cpp:
(WebCore::CachedResource::clearResourceToRevalidate): Don't assert that m_resourceToRevalidate
is being revalidated - this may no longer be true, because we now reset this member in
CachedResource::setInCache().

JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Let VS
re-order the file list, and added JavaScriptCore[_debug].def to the
project. This was not necessary for the fix, but made making the fix
easier.

JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore_debug.def:
Removed a function that no longer exists.

Most of the signals in WebKitGTK+ have the G_SIGNAL_ACTION flag,
but I don't think this makes sense. The flag is meant for those
signals that can be emitted by the user to trigger some action in
the view, as if it were a normal API, which is not the case for
most of them.

loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadItem): Allow shouldScroll to be true even if m_currentHistoryItem is 0.
Not sure if when this case can really arise in practice, but it's good to match the original
logic more closely.

A width or height of zero for the destination or source rect of an
image causes a not invertible pattern matrix.
This crahes newer versions of Cairo and give some graphic gliches in
Canvas.
With this patch we check if there is something to draw and return if not.

Fix point mapping and hit testing through transforms and perspective
with ENABLE_3D_RENDERING. Previously the code did the more efficient
move(), rather than getTransformFromContainer(), when the object had
no transform. However, this skipped the application of perspective
when the immediate child of the perspective element had no transform
itself.

rendering/RenderLayer.cpp:
(WebCore::RenderLayer::createLocalTransformState):
Call shouldUseTransformFromContainer() to determine if we need to
go through the more expensive getTransformFromContainer() code
path.

rendering/RenderObject.h:

rendering/RenderObject.cpp:
(WebCore::RenderObject::shouldUseTransformFromContainer):
New method that indicates whether we need use getTransformFromContainer()
when mapping points through renderers, and hit testing.

BumperCar was holding a pointer to a WebHistoryItem they never retain, then later
tried to go to it. In some cases it would be dealloc'ed first.
When WebHistoryItems were pure Objective-C they probably got away with this more often.
With the WebCore/Obj-C mixed WebHistoryItems it's more likely to crash.

History/WebBackForwardList.mm:
(bumperCarBackForwardHackNeeded):
(-[WebBackForwardList backListWithLimit:]): If this is BumperCar, hang on to the
NSArray of WebHistoryItems until the next time this method is called.
(-[WebBackForwardList forwardListWithLimit:]): Ditto.

editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::moveParagraphs):
Only preserve an empty paragraph's style when moving paragraphs around if the selection is still
in an empty paragraph after the move occurs. This was causing the empty paragraph's style to overwrite
the previous paragraph's style during a delete of an empty paragraph.

If a media engine claims it can support the MIME type, WebCore now creates a <video>
element for document mode media files instead of an <embed> element. Because WebCore's
QuickTime backed media players do not support every kind of media the QuickTime plug-in
supports, and because it is not always possible to tell what type of media is in a file
without opening and parsing it, some types of media that used to be displayed properly
by a plug-in are no longer supported properly. To fix this, if the media engine
sees that it can not completely support a media file it now informs the media
document, which replaces the <video> element with an <embed>.

r42301 landed support for OSX. This patch modifies those changes slighly and adds support
for Windows.

loader/MediaDocument.cpp:
(WebCore::MediaDocument::MediaDocument): Initialize m_replaceMediaElementTimer.
(WebCore::MediaDocument::mediaElementSawUnsupportedTracks): Don't replace the <video>
element immediately.
(WebCore::MediaDocument::replaceMediaElementTimerFired): Renamed from replaceVideoWithEmbed.
Set body margin-width and margin-height to 0 as that is what a PluginDocument uses.

platform/graphics/win/QTMovieWin.cpp:
(QTMovieWinPrivate::task): Stop the task timer if we were disabled during the load state
change callback.
(QTMovieWinPrivate::drawingComplete): Don't do anything if disabled.
(QTMovieWin::QTMovieWin): Initialize m_disabled.
(QTMovieWin::disableUnsupportedTracks): Return total number of tracks.
(QTMovieWin::setDisabled): New, set m_disabled flag.